Your Uber Account Might Be Up For Sale

Your Uber account may be open to anyone, anywhere, at any time. Hackers across the globe are buying and selling them every day for as little as $2.99.

Author:
Whitney Wild

Published:
9:53 PM EDT August 1, 2017

Updated:
9:57 PM EDT August 1, 2017

Your Uber account may be open to anyone, anywhere, at any time. Hackers across the globe are buying and selling them every day for as little as $2.99.

The WUSA9 Special Assignment Unit got an inside look at the dark web -- accessible only through a specific browser -- where stolen Uber accounts are bought and sold every day.

Think of the internet as an iceberg: most of us can only see the tip with search engines like Google and Yahoo. But beneath that is a part of the internet called the deep web -- that's your email account and password protected sites.

“It is guaranteed that at least once a year one of your credentials will get leaked and stolen,” Essaid said.

His company, Distil Networks, builds barricades for companies like StubHub that protect against hackers.

StubHub is like a castle. Distil Networks builds the castle wall.

“A lot of consumers use the same username and passwords in a lot of different places,” he said. “The bad guys are able to find a number of accounts that work.”

Essaid explained hackers buy credentials in bulk, then program bots to conduct “credential stuffing.” That's when they cram stolen usernames and passwords into sites and applications until one opens. After that, the hacker has a credential he or she knows will work.

When users maintain the same password for multiple profiles, hackers have a key that unlocks a list of applications and profiles using that one password.

That means your important personal information is just a few keystrokes away on the dark web. The results could be catastrophic if a hacker taps into banking applications or sites containing social security numbers.

With Uber the impact is minimized. Uber spokeswoman Melanie Ensign told WUSA9, fraudulent trips comprise a small amount of reports.

“In cases where fraud is confirmed, Uber pays the driver and refunds the rider,” Ensign said.

Uber profiles don’t display full credit card numbers either -- only the last four digits. So hackers are able to steal only a few free rides.

Back in Denver, this has taught Jeremy Jojola as much about himself as it did about hacking.

“I’ve come to realize that I’m a lazy moron myself, because I know that I should be using different passwords for every different social media account I use,” Jojola said. “But I got lazy.”

For Goren, the hack was just too creepy, so for now she’s off Uber, indefinitely.

“I’ve actually never been hacked in my life,” Goren said. “That’s why I never thought it would be at this personal level.”

Cox, Essaid and Ensign recommended the website www.haveibeenpwned.com to check if your credentials have been leaked.

By the way, the website is pronounced “Have I Been Powned,” if you’re inclined to say it out loud.